Starting a SOC 2 audit is overwhelming. Our SOC 2 Compliance Checklist will prepare you to complete your audit successfully.
You know you need a SOC 2 audit, but don’t know what to expect or how to get started. This guide will prepare you for what your auditors are looking for and how to confidently begin your SOC 2 compliance journey.
What is a SOC 2 Compliance audit?
A SOC 2 audit attests that the system or service you provide to your clients is secure, trustworthy, and prepared to handle risks. This attestation is achieved through a quality examination of your people, processes, and technologies by an experienced, licensed CPA firm.
A SOC 2 audit validates your organization’s commitment to delivering high quality, secure services to your clients.
What’s included in the SOC 2 compliance checklist?
This exclusive SOC 2 compliance checklist, prepared by KirkpatrickPrice’s SOC 2 compliance professionals, outlines the specifics of each system component that will be evaluated during your SOC 2 audit.
The SOC 2 Checklist will cover:
The Trust Services Criteria
The system components evaluated in your audit
Which policies and procedures need to be in place
Average length of a SOC 2 audit
Answers to frequently asked SOC 2 questions
Keep in mind, you don’t have to have everything perfectly in place to start your audit; this checklist should just be a tool to help you prepare for your audit. If you need help putting controls in place, contact one of our experts today! We want to make sure you feel ready to successfully complete your SOC 2 audit.
Prepare to successfully start and complete your SOC 2 audit by downloading the SOC 2 Compliance Checklist!
NorthStar Education Services, a student financial aid and payment company, today announced that it has completed its SOC 2 Type II audit, performed by KirkpatrickPrice. This attestation provides evidence that NorthStar Education Services has a strong commitment to security and to delivering high-quality services to its clients by demonstrating that they have the necessary internal controls and processes in place.
A SOC 2 audit provides an independent, third-party validation that a service organization’s information security practices meet industry standards stipulated by the AICPA. During the audit, a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system are tested. The SOC 2 report delivered by KirkpatrickPrice verifies the suitability of the design and operating effectiveness of NorthStar Education Services’s controls to meet the standards for these criteria.
Taige Thornton, President of NorthStar Education Services, said, “All organizations should ask for SOC reporting from their outsourced service vendors. Whether a vendor can provide a SOC report is a serious risk component that companies need to consider during any vendor due diligence analysis.”
“The SOC 2 audit is based on the Trust Services Criteria,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “NorthStar Education Services delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on NorthStar Education Services’s controls.”
About NorthStar Education Services
NorthStar Education Services is an affiliate of Ascendium Education Group. For 50 years, our focus has been to deliver industry leading tools to support educational accessibility and success through student loan repayment, employee benefit/payment assistance, next generation financial wellness and education loan refinancing programs.
About KirkpatrickPrice
KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over a thousand clients in North America, South America, Asia, Europe, and Australia. The firm has more than a decade of experience in information security by performing assessments, audits, and tests that strengthen information security practices and internal controls. KirkpatrickPrice most commonly performs assessments on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and FERPA frameworks, as well as advanced-level penetration testing. For more information, visit https://kirkpatrickprice.com, follow KirkpatrickPrice on LinkedIn, or subscribe to our YouTube channel.
What are the Trust Services Criteria?
Once your organization has decided that you are ready to pursue a SOC 2 attestation, the first thing you have to decide is which of the five Trust Services Criteria (TSP) you want to include in your SOC 2 audit report. Becoming familiar with the categories of security, availability, confidentiality, processing integrity, and privacy should be one of the first steps in your scoping process. On a basic level, you can think about the Trust Service Criteria in terms of these concepts:
Security – Is the system protected, both physically and logically, against unauthorized access?
Availability – Is the system available for operation and use as agreed upon?
Confidentiality – Is the information that’s designated as confidential protected as agreed upon?
Processing Integrity – Are the processing services provided in a complete, accurate, and timely, manner?
Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the service organization’s privacy notice and business objectives?
Which Trust Services Criteria Apply to My Organization?
Security is the category that applies to all engagements and is what the remaining Trust Services Criteria are based on. In a non-privacy SOC 2 engagement, the security category must be included. The security category consists of the complete set of the common criteria, which integrate with the 2018 COSO Internal Control — Integrated Framework. The common criteria are categorized based on the following:
Control environment
Communication and information
Risk assessment
Monitoring activities
Control activities
Logical and physical access controls
System operations
Change management
Risk mitigation
It’s important to note, though, that your organization isn’t required to address all five of the Trust Services Criteria in our SOC 2 report; however, you should select the categories that are relevant to the services that you provide to your clients. So, aside from security, which apply to your organization: availability, processing integrity, confidentiality, and/or privacy?
Are you considering going through an information security audit for the first time? Are you contemplating a requirement for all of your vendors to undergo information security audits? Are you looking for an auditing firm who can help your organization utilize the benefits of auditing? Do you need help explaining the value of information security audits to executive management? Are you trying to cultivate a culture of compliance within your organization? We’re here to help.
What are the Advantages to Auditing?
Many people are intimidated by the requirements, price, and efforts of auditing, but we believe the benefits outweigh the cost. Yes, undergoing information security audits is a challenging and time-consuming process for most organizations, but our Information Security Specialists aim to educate clients on the value that attestations and compliance can bring to their business, which range from competitive advantages to reputational improvement. When your organization has completed an information security audit and gained compliance, the challenges you faced will be worth it.
However, getting executives on board with undergoing information security audits can be challenging, because many organizations are fearful of the process. We see many organizations get stuck in the checkbox mentality, where they view auditing as an item to be checked off a list rather than understanding the purpose and benefits. At KirkpatrickPrice, we want to be your audit partner, not just an item to check off on a list. We want to walk through this audit lifecycle with you, enhancing your business by placing security and compliance at the forefront of the current threat landscape.
Are you ready to get started on securing your business? Do you want to ensure your security posture is as strong as possible? Do you want to see how your mindset toward auditing can change over a three-year period? KirkpatrickPrice offers a wide variety of information security testing and auditing services. To learn more, contact a KirkpatrickPrice information security specialist today.
What is a SOC 2 Audit?
A SOC 2 audit is an audit of a service organization’s non-financial reporting controls as they relate to the Trust Services Criteria – the security, availability, processing integrity, confidentiality, and privacy of a system. A SOC 2 audit report provides user entities with reasonable assurance and peace of mind that the non-financial reporting controls at a service organization are suitably designed, in place, and appropriately protecting sensitive client data. There are two types of SOC 2 audit reports: SOC 2 Type I and SOC 2 Type II.
SOC 2 Type I vs. SOC 2 Type II: What’s the Difference?
SOC 2 Type I and SOC 2 Type II both report on the non-financial reporting controls and processes at a service organization as they relate to the Trust Services Criteria. There are many other similarities between SOC 2 Type I and SOC 2 Type II reports, but there is one key difference.
What is a SOC 2 Type I Report?
A SOC 2 Type I report—also written SOC 2 Type 1—is an attestation of controls at a service organization at a specific point in time. SOC 2 Type I reports on the description of controls provided by the management of the service organization and attests that the controls are suitably designed and implemented.
What is a SOC 2 Type II Report?
A SOC 2 Type II report—also written SOC 2 Type 2—is an attestation of controls at a service organization over a minimum six-month period. SOC 2 Type II reports on the description of controls provided by the management of the service organization, attests that the controls are suitably designed and implemented, and attests to the operating effectiveness of the controls.
During a SOC 2 Type II audit, the auditor will carry out field work on a sample of days across the testing period to observe how controls are implemented and how effective they are.
As you can see, the key difference between SOC 2 Type I and SOC 2 Type II reports is that Type II reports are conducted over a significantly longer period. This allows Type II reports to attest to control effectiveness, something that is not possible with the shorter Type 1 report, which can only attest to the suitability of design and implementation.
Which SOC 2 Compliance Report Is Right for Your Business?
As a CPA firm, we advise clients who are engaging in a SOC 2 audit for the first time to begin with a Type I and move on to a Type II the following audit period. This gives service organizations a good starting point and more time to focus on the description of their system, allowing them to mature their environment over time.
Many organizations are required to undergo a third-party SOC 2 audit. If you have questions about which type of SOC report you need or want help demonstrating to your clients your commitment to security and compliance, contact us today.
There are two types of SOC 2 audit reports: Type I and Type II. Often times, if you’re doing a SOC 2 audit report for the first time, you’ll start with a Type I. It’s an engagement where we, as an auditor, are reporting on management’s description of the controls that are placed into operation. We will also provide an opinion on the suitability of the design of those controls.
A Type II report for a SOC 2 audit includes the exact same sections as I just mentioned in the Type I, but there’s an additional section that talks about the operating effectiveness of those controls that you’ve put into place. What the auditor does in a Type II report is perform tests of operating effectiveness to validate that the controls are in place and operating effectively. It’s important to understand the distinction between the two types of reports because your clients may ask for a Type II and you need to be aware of what the difference is between the SOC 2 Type I vs. SOC 2 Type II. If you are just beginning the SOC 2 audit process, you may consider beginning with the Type I so that we can spend more time focused on your description of the system that you have in place at your service organization, and whether or not those controls are suitably designed before moving onto testing of operating effectiveness in the SOC 2 Type II audit report.